In part 1 of this series I discussed the development of mobile strategy, policy and education to help companies become a successful mobile enterprise. Now I want to talk about another very important issue: security.
Most companies approach mobile security with a focus on the device, whereas IBM thinks that all three areas—devices and operating systems (OS), network or back office, mobile apps—should be comprehensively secured for sufficient security. Let's examine each area.
Device and OS security
When I’ve showcased IBM to the customer, I've often found that many of them still tend to approach mobile security from the same perspective as PC security. It is true that we need to manage mobile security to the same level; however, the security risk of mobile devices is different from that of PCs.
Mobile device risk overview[/caption] As shown in the above figure, most security risks for mobile devices are not caused by malware but by loss, theft and seizure. Therefore you have two options: (1) Don’t store sensitive information in your mobile devices, and use Virtual Desktop Infrastructure (VDI) instead. (2) If you choose to store sensitive information, appropriate security policies should be established for device registration, corporate compliance, information wipe, device lock, encryption and so on.
For instance, a certain company I know found that as many as 5 percent of their employees’ mobile phones are reported to have been lost, 40 percent of which were permanently lost. Nobody knows what kind of damage could result if the company's confidential information was stored on those lost mobiles.
As for OS security, a policy needs to be set in place that only allows devices with properly secured OS versions to be connected to the corporate network. A corporate guideline for a minimum required OS version should be provided, as mobile operating systems are continuously patched and updated with security patches just like those for PC. However, security of smart devices is much less developed than that of PCs. Mobile phone providers need to strengthen security features for enterprise users.
To mitigate device security risk, mobile device management (MDM) should be used; it is the most basic of basics and generally regarded as a must. However, implementing an MDM solution does not necessarily guarantee mobile security. It is the CIO organization's task to determine how to optimize the settings of this tool.
Device-level configurations that can be enforced by MDM are:
- Check password (minimum length, alphanumeric, auto-wipe after incorrect password type, forced password change frequency, automatic lock after certain period of inactivity and so on)
- Remote wipe when lost
- Check anti-malware installation
- Check OS version or device rooting/jailbreaking
- Storage encryption check (backup image encryption for iOS device)
- Prevent browser pop-up windows
Network and back office security
The second security area is network and back office.
In the long term, IBM plans to allow access to IBM systems regardless of OS or ownership of devices and is designing its security system based on this vision. This is a system that only allows devices confirmed secure to access the in-house network through internal WiFi or external virtual private network (VPN). In this system, mobile users and devices should be identified first to be allowed or denied access.
Many considerations need to be put into VPN implementation. You can categorize users and then grant higher access privileges to power users (and raise the device security level instead); or allow access per application by means of reverse proxy (and lower the device security level instead). Mobile devices mainly use wireless communication, so the traffic might be intercepted unless proper protection is provided by encryption. This makes the proper choice of VPN solution even more important.
Mobile app security
The third security area is mobile apps. Applications are developed by humans, so the level of security applied during application coding can vary greatly, unless proper management tools are used. For this end, you must identify an application’s vulnerabilities and select proper development tools to handle them and ensure consistent updates of the applications.
In addition, the enterprise app store should be properly managed too. Unlike other applications, mobile applications can be freely developed and distributed by anyone, which also means that malicious apps can be easily distributed. I therefore recommend that you create an enterprise app store where you can download only authorized enterprise apps and easily update those apps.
"High-level security” cannot be achieved by whatever security tools you might use to care for the above three security areas. Mobile devices are portable, so their confidential data can be exposed to anyone at any time, and no security tool can completely prevent such information exposure. Security training for users is therefore indispensable.
Implementing a secure environment with limited in-house security resources is not easy unless done by a specialized IT company, as it requires lots of testing and research. I recommend that companies get consulting service on mobile security. IBM can recommend an optimized security level for your enterprise based upon its successful security consulting experiences, ranging from internal customers to various industries including finance, health care and so on.
Smart devices are always carried with the user, which requires consideration for user's convenience and privacy. While users focus on convenience, companies have to balance between security cost and security level. Determining an appropriate security level for your environment while considering the cost is the trickiest problem.
What are your experiences with security in a mobile enterprise? Share your comments below, and please stay tuned for the next installment in my series, “How to be a successful mobile enterprise.”Junggun Cho helps oversee security, network and mobility areas in Korea BT/IT. She is also an IBM Redbooks thought leader. Follow Junggun on Twitter at @junggun_cho.